The Web surfing history saved in your Web browser can be accessed without your permission. JavaScript code deployed by real websites and online advertising providers use browser vulnerabilities to determine which sites you have and have not visited, according to new research from computer scientists at the University of California, San Diego.

The researchers documented JavaScript code secretly collecting browsing histories of Web users through “history sniffing” and sending that information across the network. While history sniffing and its potential implications for privacy violation have been discussed and demonstrated, the new work provides the first empirical analysis of history sniffing on the real Web.

“Nobody knew if anyone on the Internet was using history sniffing to get at users’ private browsing history. What we were able to show is that the answer is yes,” said UC San Diego computer science professor Hovav Shacham.
The computer scientists from the UC San Diego Jacobs School of Engineering presented this work in October at the 2010 ACM Conference on Computer and Communications Security (CCS 2010) in a paper entitled, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications”.

History Sniffing

History sniffing takes place without your knowledge or permission and relies on the fact that browsers display links to sites you’ve visited differently than ones you haven’t: by default, visited links are purple, unvisited links blue. History sniffing JavaScript code running on a Web page checks to see if your browser displays links to specific URLs as blue or purple.

History sniffing can be used by website owners to learn which competitor sites visitors have or have not been to. History sniffing can also be deployed by advertising companies looking to build user profiles, or by online criminals collecting information for future phishing attacks. Learning what banking site you visit, for example, suggests which fake banking page to serve up during a phishing attack aimed at collecting your bank account login information.

Arrington added that “as soon as Zuckerberg unsubscribed I lost the ability to add him to any further groups at all, another protection against spamming and pranks.”

A Facebook spokeswoman confirmed that group members can only add their friends to the group. “If you have a friend that is adding you to groups you do not want to belong to, or they are behaving in a way that bothers you, you can tell them to stop doing it, block them or remove them as a friend — and they will no longer ever have the ability to add you to any group,” she wrote in an e-mail. “If you don’t trust someone to look out for you when making these types of decisions on the site, we’d suggest that you shouldn’t be friends on Facebook.”

“Do Not Track” would be akin to the “Do Not Call” list opt-out consumer registry to prevent unsolicited sales pitches and other calls, and right now looks to have a legitimate shot at reaching the proposed legislation level, if not further. The privacy advocacy, Consumer Watchdog, is running an ad in Times Square (on a 540-square foot digital billboard no less) mocking Google’s CEO Erik Schmidt as a snooping ice cream man.

Now Schmidt (and Facebook’s Mark Zuckerberg) have made some very boneheaded public statements about online privacy — and I’m a huge advocate of online privacy — but the reality is some level of tracking is necessary to keep the internet rolling along in its current fashion. Take away the legitimate revenue from data mining web user’s habits and all of a sudden you’ll be running into paywall after paywall of premium content. And on top of that, the technology to track web usage wouldn’t be going anywhere, it would just only be utilized by criminals or entities looking to circumvent anti tracking regulations.

Because of Schmidt and Zuckerberg’s public idiocy on online privacy, and actual privacy gaffes like Facebook’s well-publicized multiple self-inflicted wounds, the general public is much more aware of exactly how tracked they are, and even if they don’t understand exactly how that data is used, they don’t like it. Consumer Watchdog’s commissioned poll (grain of salt here due to the poll’s source) found 80 percent of the public supporting a “Do Not Track” registry. That is a high number.

So now that the online privacy debate has gone mainstream, look for likely legislation to his Washington sometime soon. And if all comes to pass, the Federal Trade Commission may get its say in this process. Is that what anyone really wants? I doubt it.

From the link:

Do Not Track legislation would be similar to the national Do Not Call registry, allowing consumers to opt out of having their web activities tracked for advertising purposes. It is a concept that has gained surprising momentum – surprising, given the gridlock that otherwise exists on Capitol Hill – and could well be proposed as legislation in the upcoming session. House Energy and Commerce Communications Subcommittee ChairmanRick Boucher, D-Va., and Energy and Commerce Consumer Protection Subcommittee ChairmanBobby Rush, D-Ill., are working on privacy legislation that they hope to have ready for for the next Congress. The Do Not Call list would likely be included.

Then there is the Federal Trade Commission. FTC Chairman Jon Leibowitz told a Senate panel that the commission is exploring the idea as well (via Nextgov). The opt-out process could be run by the FTC or some private sector entity, he suggested.

In the wake of revelations that the US military network was compromised in 2008, and that US digital interests are under a relative constant threat of attack, the Pentagon is establishing new cyber security initiatives to protect the Internet. The Pentagon strategy–which is part digital NATO, part digital civil defense, and part Big Brother–may ruffle some feathers and raise concerns that the US Internet is becoming a military police state.

The mission of the United States Department of Defense is to provide military forces needed to deter war and protect the security of the nation. The scope of that mission includes emerging threats and the need to deter cyber war and protect the digital security of the nation as well. To fulfill that mission in an increasingly connected world, and with a rising threat of digital attack, the Pentagon wants to expand its sphere of influence.

This really is a tough issue. Certainly you want the nation to be safe, but at the same time the internet is largely a borderless “pseudo-nation” and clamping down too hard — not unlike the great firewall of China — can stifle much of what makes the net great. No easy answers here, but dramatically increasing the power of the government — particularly the military — over the private sector is not an acceptable solution.

What’s the deal with CEOs of big name internet companies going off the rails? Here’s Yahoo’s Carol Bartz from back in May, and now Google’s Eric Schmidt has made an increasing series of completely ridiculous statements culminating (for now) with this doozy. I hope this was said tongue-in-cheek and didn’t translate to the printed word. For some reason I doubt it. Do no evil, indeed.

From the second link:

Google (GOOG) is often accused of behaving like Big Brother, and Google’s CEO Eric Schmidt isn’t doing much to dispel those perceptions. In fact, in an interview with the Wall Street Journal, Schmidt dropped an interesting — and frightening — tidbit: perhaps people should change their names upon reaching adulthood to eradicate the potentially reputation-damaging search records Google keeps.

“‘I don’t believe society understands what happens when everything is available, knowable and recorded by everyone all the time,’ [Schmidt] says. He predicts, apparently seriously, that every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends’ social media sites,” the Wall Street Journal reports.

I ran a muli-part post covering some of the more chilling aspects of online privacy last weekend, largely quoting the excellent Wall Street Journal series on the subject. This weekend here’s the best, and really most difficult, solution to the issue. I’m never for un- or even quasi- necessary regulation, so keeping the government out of online privacy oversight should remain the goal of anyone interested in the future of online freedom.

The key point from the second link (emphasis mine):

If a central authority such as Congress or the FTC were to decide for consumers how to deal with cookies, it would generalize wrongly about many, if not most, individuals’ interests, giving them the wrong mix of privacy and interactivity. If the FTC ruled that third-party cookies required consumers to opt in, for example, most would not, and the wealth of “free” content and services most people take for granted would quietly fade from view. And it would leave consumers unprotected from threats beyond their jurisdiction (as in Web tracking by sites outside the United States). Education is the hard way, and it is the only way, to get consumers’ privacy interests balanced with their other interests.

Three recent articles to ponder about how much — or really, how little — your online privacy is protected.

First up, from the Wall Street Journal, your data is money. I’m pretty sure just about anyone who’s been using the web for any amount of time knows all about tracking cookies, data mining and all that. This article goes into detail on just how much, and how detailed, information top visited websites collect on visitors.

From the link:

Hidden inside Ashley Hayes-Beaty’s computer, a tiny file helps gather personal details about her, all to be put up for sale for a tenth of a penny.

The file consists of a single code— 4c812db292272995e5416a323e79bd37—that secretly identifies her as a 26-year-old female in Nashville, Tenn.

The code knows that her favorite movies include “The Princess Bride,” “50 First Dates” and “10 Things I Hate About You.” It knows she enjoys the “Sex and the City” series. It knows she browses entertainment news and likes to take quizzes.

“Well, I like to think I have some mystery left to me, but apparently not!” Ms. Hayes-Beaty said when told what that snippet of code reveals about her. “The profile is eerily correct.”

Ms. Hayes-Beaty is being monitored by Lotame Solutions Inc., a New York company that uses sophisticated software called a “beacon” to capture what people are typing on a website—their comments on movies, say, or their interest in parenting and pregnancy. Lotame packages that data into profiles about individuals, without determining a person’s name, and sells the profiles to companies seeking customers. Ms. Hayes-Beaty’s tastes can be sold wholesale (a batch of movie lovers is $1 per thousand) or customized (26-year-old Southern fans of “50 First Dates”).

“We can segment it all the way down to one person,” says Eric Porres, Lotame’s chief marketing officer.

Also from the WSJ in the same series is an article with more on the same as above with an emphasis on consumer-tracking technology used by the top 50 sites.

From the link:

The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time.

The Journal’s study shows the extent to which Web users are in effect exchanging personal data for the broad access to information and services that is a defining feature of the Internet.

In an effort to quantify the reach and sophistication of the tracking industry, the Journal examined the 50 most popular websites in the U.S. to measure the quantity and capabilities of the “cookies,” “beacons” and other trackers installed on a visitor’s computer by each site. Together, the 50 sites account for roughly 40% of U.S. page-views.

The 50 sites installed a total of 3,180 tracking files on a test computer used to conduct the study. Only one site, the encyclopedia Wikipedia.org, installed none. Twelve sites, including IAC/InterActive Corp.’s Dictionary.com, Comcast Corp.’s Comcast.net and Microsoft Corp.’s MSN.com, installed more than 100 tracking tools apiece in the course of the Journal’s test.

Federal law requires communications providers to produce records in counterintelligence investigations to the FBI, which doesn’t need a judge’s approval and court order to get them.

They can be obtained merely with the signature of a special agent in charge of any FBI field office and there is no need even for a suspicion of wrongdoing, merely that the records would be relevant in a counterintelligence or counterterrorism investigation. The person whose records the government wants doesn’t even need to be a suspect.

The bureau’s use of these so-called national security letters to gather information has a checkered history.

The bureau engaged in widespread and serious misuse of its authority to issue the letters, illegally collecting data from Americans and foreigners, the Justice Department’s inspector general concluded in 2007. The bureau issued 192,499 national security letter requests from 2003 to 2006.

In this June 28, 2010, file photo, Senate Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., gestures on Capitol Hill in Washington. Invasion of privacy in the Internet age. The administration’s proposal to change the Electronic Communications Privacy Act “raises serious privacy and civil liberties concerns,” Leahy said Thursday, July 29, 2010, in a statement. Expanding the reach of law enforcement to snoop on e-mail traffic or on Web surfing. Those are among the criticisms being aimed at the FBI as it tries to update a key surveillance law.

As much as I love the Chrome browser, I don’t see myself switching to the Chrome OS, but it will be very interesting to see how quickly it’s adopted and how it actually works out in the wild stability- and privacy-wise. Particularly the latter of those two.

From the link:

Google said Wednesday it is planning to release its Chrome operating system, seen as a rival to Microsoft’s Windows system, for free in the autumn.

June 1, 2010

I find this poll very dubious to say the least. I’m guessing there’s a serious methodology issue in the surveyed population. A very tech savvy crowd would have a much higher awareness of Facebook privacy issues, and would also be much more likely to have a strong, and or negative, opinion of the privacy issue than the average casual social networker.

From the link:

More than half of Facebook users are considering dumping the popular social networking site because of privacy concerns, according to the results a new Sophos poll .

Abingdon, U.K.-based Sophos said 16% of poll respondents said have already stopped using Facebook because of privacy issues. The results of the online poll of some 1,600 Facebook users, released this week, found that 30% are “highly likely” to quit Facebook due to privacy concerns, and another 30% said it was “possible” they would leave the site for the same reason.

Meanwhile, 12% of respondents said that won’t leave he site and 12% said it’s “not likely” that they’ll quit Facebook

A report in the Wall Street Journal indicates that a number of social networking sites (including Facebook, MySpace, and Digg) may be sharing users’ personal information with advertisers. Since the Journal started looking into this possible breach of privacy, both Facebook and MySpace have moved to make changes.

The practice is actually a somewhat defensible one–and most of the companies involved did try to defend it–in which the advertisers receive information on the last page viewed before the user clicked on their ad. This is common practice all over the web, and, in most cases, is no issue–advertisers receive information on the last page viewed, which cannot be traced back to the user. In the case of social networking sites, the information on the last page viewed often reveals user names or profile ID numbers that could potentially be used to look up the individuals.

Depending on what those individuals have made public, advertisers can then see anything from hometowns to real names.

The Journal interviewed some of the advertisers who received the data (including Google’s (GOOG) DoubleClick and Yahoo’s (YHOO) Right Media), who said they were unaware of the data and had not used it.

For some reason I find that last claim from DoubleClick and Right Media a bit hard to believe.

If you use Facebook, running this tool is a pretty good idea. It’ll at least let you find out exactly what parts of your profile are exposed where and to whom. With the steady diet of privacy setting changes that require opting-out instead of opting-in, you might be surprised where your Facebook information stands in the public/private online sphere.

From the link:

About a week ago, as frustration with Facebook and its privacy settings reached its pinnacle, Matt Pizzimenti, a software engineer and cofounder of Olark.com, launched ReclaimPrivacy.org, a site that scans your Facebook settings and warns you of what information you’re exposing to the public.

“I felt that [Facebook’s] navigation was too complicated to explain to my less-technical friends and family, so I built this tool to help them quickly see their privacy settings and change them,” Pizzimenti says.

Since its incorporation just over five years ago, Facebook has undergone a remarkable transformation. When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public informationmay be shared by Facebook with its partner websites and used to target ads.

The huge social networking site (and new heavyweight champs of the internet for the foreseeable future) has an absolutely terrible record regarding privacy.

This post from the Information Technology and Innovation Foundation posits that the right to privacy isn’t a right to Facebook. I completely agree. Facebook doesn’t charge its millions (and millions) of users in exchange for very heavy, and increasing, levels of data mining. The post also laments the current threat of Congressional action in reaction to Facebook’s latest pubic statements and actions against user privacy. Another great point

This bit from the link is correct:

Certainly some users may still object to this tradeoff. But if you don’t like it, don’t use it. Facebook is neither a right nor a necessity. Moreover, it is a free tool that individuals can use in exchange for online advertising. In fact, one high-profile Facebook user, the German Consumer Protection Minister Ilse Aigner, has already threatened to close down her Facebook profile in protest of Facebook’s new privacy policies. Users that feel this way about Facebook’s changes should vote with their mouse and click their way to greener pastures. Companies respond to market forces and consumer demands, and if enough users object to the privacy policy of Facebook, these individuals should be able to find a start-up willing to provide a privacy-rich social networking experience.

But this second point actually perfectly illustrates where Facebook has the wrong approach toward user privacy, both from a business standpoint and personal protection standpoint:

Even Facebook responds to public opinion and consumer pressure. In December, Facebook modified its privacy settings so that certain information including friends list, gender, city, and profile photo, would be public information. In response to complaints from some users, Facebook modified its interface to give users more control over the privacy of different types of information. Neither was this the first time that Facebook revised its policies in response to consumer behavior. In 2006, Facebook altered its policy regarding its “news feed” feature that updates users about their friends’ activities.

The problem here is Facebook has repeatedly and arbitrarily taken actions that once exposed managed to royally piss off its user base to the point it had to immediately backtrack and change the changes. Do that once and its an example of a young company going through growing pains. Do it repeatedly and those actions are just those of a very bad corporate actor consistently pushing as hard as it can with zero regard for its user base. And that user base is all Facebook has going for it. It is massive and not going away overnight, but pressed hard enough and over enough events, and that user base could very well could disappear. It would probably take a defection of its growing middle-aged and up contingent, but Facebook would be very foolhardy to think it couldn’t happen.

March 11, 2010

The argument about the generation growing up with social media and handheld audio/visual recording devices (otherwise known as mobile phones) is a pretty good one. I wouldn’t disparage the generation out of hand, though. It’s entirely possible they grow into a heightened sense of online privacy and a clear understanding of just what’s important and not in the public/private legal debate.

From the link:

If the public wants online privacy it had better fight now for laws to protect it because businesses won’t and individuals don’t have the clout, security expert Bruce Schneier told RSA Conference attendees.

The longer information-privacy policies go unset, the more likely it is that they never will be set, says Schneier, an author of books about security and CTO of security consultant BT Counterpane. As young people grow up with broad swaths of information about them in the public domain, they will lose any sense of privacy that older generations have.

And they will have no appreciation that lack of privacy shifts power over their lives from themselves to businesses or governments that do control their information. Laws protecting digital data that is routinely gathered about people are needed, he says. “The only lever that works is the legal lever,” he says. “How can we expect the younger generation to do this when they don’t even know the problem?”

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft’s stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it “quasi-comprehensive” because, at a mere 22 pages, it doesn’t explore the nitty-gritty of Microsoft’s systems; it’s more like a data-hunting guide for dummies.

Which of My Microsoft Services are Affected?

All sorts. Microsoft keeps user information related to its online services. The data ranges from past e-mails to credit card numbers. The information is kept for a designated period of time, sometimes forever.

Loosely defined, cloud computing involves programs or services that run on Internet servers. Despite the buzz surrounding it, the idea isn’t new–think Web mail. But huge benefits, such as being able to gain access to your data from anywhere and not having to worry about backups, have led more people to leap to the Internet to do everything from writing documents and watching movies to managing their businesses. Unfortunately, privacy is often still stuck at home.

Behind the Times

Archaic laws that focus on where your information is, rather than what it is, are part of the problem. But a disturbing lack of respect for essential privacy among industry heavyweights who should know better is also evident.

Consider comments that Google CEO Eric Schmidt made during a recent CNBC interview. In response to the question, “People are treating Google (GOOG) like their most trusted friend. Should they be?” Schmidt responded, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

This kind of “only the guilty have anything to hide” mindset is a privacy killer, and rests on the completely flawed no tion that people want privacy only when they’re doing something wrong. There’s nothing wrong with my taking a shower or searching for information about a medical condition. But it’s still private.

It’s possible Schmidt spoke without thinking–Google is mum for now on the prospect of issuing a clarification of any kind. But meanwhile, privacy is taking a pounding in other areas, as well.

Last summer, a U.S. District Court judge in Oregon ruled that government law enforcement agencies need not provide you with a copy of a warrant they have obtained in order to read all of your e-mail stored on an Internet server–where most of us keep e-mail these days. It’s sufficient to give your Internet service provider notice, according to Judge Michael Mosman.

In his opinion and order, Mosman noted the Fourth Amendment’s “strong privacy protection for homes and the items within them in the physical world.” Still, he said, “When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all.”

I bolded that last bit of text, and that may be the most important statement regarding cloud computing and privacy — when you are operating in the cloud, United States Fourth Amendment law as it is currently read does not protect your privacy.

Let me restate that — any actions you take in any aspect of cloud computing conceivably are not covered by your Fourth Amendment right to privacy. This fact should give anyone who is considering the cloud for anything beyond trivial usage a great deal of pause.

I understand Google wanting to do business with such a massive market, but it made serious concessions regarding censorship when it went into China so it can’t be all that shocked when China decides to just go out and do whatever it wants.

The company disclosed in a blog post that it had detected a “highly sophisticated and targeted attack on our corporate infrastructure originating from China.” Further investigation revealed that “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” Google’s post said.

Google did not specifically accuse the Chinese government. But the company added that it is “no longer willing to continue censoring our results” on its Chinese search engine, as the government requires. Google says the decision could force it to shut down its Chinese site and its offices in the country.

Don’t like what a website has done with your personal information? Don’t understand its privacy policies? A new privacy complaint site is now open for business–created by an Internet freedom and privacy advocacy group in Washington, D.C. called the Center for Democracy and Technology (CDT).

Complaints can be shared with your social network via sites like Twitter and Facebook, and also forwarded to the Federal Trade Commission (FTC). If enough complaints surface, it’s possible that the FTC will launch an investigation into whether a website is violate existing laws.

Looking for privacy in the clouds

DURHAM, N.C. — Millions of Internet users have been enjoying the fun — and free — services provided by advertiser-supported online social networks like Facebook. But Landon Cox, a Duke University assistant professor of computer science, worries about the possible down side — privacy problems.

When people post pictures or political opinions to share with their friends, they’re actually turning them over to the owners of the network as well.

“My concern is that they’re under the control of a central entity,” Cox said. “The social networks currently control all the information that users throw into them. I don’t think that’s necessarily evil. But it raises some concerns.”

For instance, MIT student experimenters have demonstrated the ability to sneak in and download more than 70,000 Facebook profiles. And a BBC technology program also showed how such personal information could be stolen.

“A disgruntled employee could leak information about social network users,” Cox said. “They could also become attractive targets for hackers and other computer ne’er-do-wells.”

Though users may not have caught this when they clicked to accept a site’s terms of service, they’ve largely signed away the rights to their own data by joining an Online Social Network. “These rights commonly include a license to display and distribute all content posted by users in any way the provider sees fit,” Cox said.

To delve deeper into these issues and begin the search for alternatives, Cox recently won a $498,000, three-year grant from the National Science Foundation. The funding is part of the federal stimulus package called the American Recovery & Reinvestment Act of 2009 (ARRA). He and two of his graduate students, Amre Shakimov and Dongtao Liu, are collaborating closely with Ramon Caceres at AT&T Labs in Florham Park, N.J., which is also a major supporter.

“What the grant will do is fund research into alternatives for providing social networking services that don’t concentrate all this information in a single place,” he said. Cox’s notion is instead to create what network architects would call a “peer-to-peer” system architecture in which information is spread out. Being distributed, individual data is thus harder to steal or otherwise exploit.

“The basic idea is that users would control and store their own information and then share it directly with their friends instead of it being mediated through a site like Facebook. And there are some interesting challenges that go along with decomposing something like Facebook into a peer-to-peer system.

“Facebook is a great service because it’s highly available and really fast. When you break something into thousands and millions of different pieces instead, you’d want to try to recreate the same availability and performance. That’s the research challenge we’re going to be looking at over the next three years.”

Cox proposed three possible options in a report for the Association for Computing Machinery’s Workshop for Online Social Networks in Barcelona in August 2009. In each, users would load their personal information into what is called a “Virtual Individual Server,” or VIS.

One option would host each social network user’s VIS on his or her own desktop. “But the problem with desktop machines is that they go down all the time,” Cox said. “When desktops are shut off they are not available.”

An alternative idea is to distribute VISs within redundant “clouds” of servers such as those offered by the Amazon Elastic Computer Cloud. “Amazon will run little computers on your behalf out in their infrastructure,” Cox said. “The nice thing about that is the service will never go down. But the problem is that it’s very expensive. It costs about $50 a month to have just one server out in the cloud.”

A third notion is called “hybrid decentralization.” The idea is to keep VISs on desktops when possible but switch to the more costly and reliable cloud distribution option when individual desktops go offline.

“So there are these different tradeoffs,” Cox said. “Users can try to put their information in clouds of servers, which are going to be highly available but expensive. Or they could try to store it on their own machines, which would be cheap but subject to service interruptions.”

Under his NSF stimulus grant, Cox will be able to pay Shakimov and Liu for three years and fund some of his own work to explore those options. Other AT&T Labs research participants besides Caceres are Alexander Varshavsky and Kevin Li. Amazon is also providing equipment support.

“The research will point in a couple of directions,” he said. “Can we get a desktop machine to intelligently switch over to a cloud? Can we reduce the cost by only using a cloud when the desktop is not available?”

Or perhaps the same information can be put in a number of places in the hope that at least one of those computers is always working. “So in addition to serving my own stuff I might ask my friends to serve my stuff as well,” Cox said.

“The problem there is that now you’re trusting somebody else to serve and store your data. We have some interesting challenges ahead.”

There are many pitfalls out there vis-a-vis security and privacy and cloud computing. Both enterprise and individuals should approach cloud computing methodically and really put some thought into what data goes into the cloud.

From the link:

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won’t be easy.

Also from the link:

Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.

“As an attacker, you should be licking your lips,” said Haroon Meer, a researcher at Sensepost, a South African security company that has focused on Web applications for the past six years. “If all data is accessible from anywhere, then the perimeter disappears. It makes hacking like hacking in the movies.”

4) Sadly, You Really Can’t Trust Your Friends or Your Social Network
As a tweet from the Websense Security Labs recently stated, “Web threats delivered via your personal Web 2.0 social network is the new black — do not automatically trust suspicious messages from friends.” The social networking explosion has created new ways of delivering threats. Web users are so accustomed to receiving tweets with shortened URLs, video links posted to their Facebook pages and email messages purportedly from the social networking sites themselves that most people don’t even hesitate to click on a link because they trust the sender.

The unfortunate reality is that criminals are taking advantage of that trust to disseminate malware and links to infected Web sites. Websense Security Labs recently found examples of e-mails sent from what appeared to be Facebook, but were really from criminals that encouraged users to click on a link to a “video” that was actually a page infected with malware.

Not only is social networking not private, for the most part you are ceding some, or all, of the rights to material you post to social networking websites. Once your material is on their servers, you’ve essentially given it away. Something to think about.

From the link:

A study conducted by the University of Cambridge discovered that social networking sites such as Facebook and MySpace do not immediately remove from its servers photos that have been deleted by users. The study audited 16 different social networking sites by uploading photos, noting their URLs, and then deleting them. Thirty days later researchers checked the URLs, and in the case of 7 sites, the photos had not been removed from content delivery networks.

Other sites were able to remove pictures immediately, and surprisingly, frequent security offender Microsoft was one of them: Windows Live Spaces had immediate removal of photos. Also on the ball were Orkut, Photobucket, and Flickr.

May 15, 2009

It ought to go without saying, but don’t waste your time with online quizzes — that free IQ test, RealAge and others — unless you’re interested in providing personal information to marketers, or even more nefarious characters.

From the link:

While Web quizzes may be fun to take, they’re also a powerful tool for companies to collect your data and even your money–and often in ways you might not notice. We’ll get to the spooky stuff in a moment, but let’s start with the simplest method of quiz-based marketing: advertising. The very nature of a typical online quiz requires you to divulge all sorts of details about yourself. Those tidbits of info are like nuggets of gold for advertisers craving a way to connect with you.

“The big trend is about engagement,” says Debra Aho Williamson, a senior analyst with eMarketer. “These quizzes are getting people to pay attention to ads.”

Paying attention, it seems, is almost a requirement: Aside from being carefully targeted at your interests, the ads are often in-your-face and impossible to avoid. Take, for example, TheFreeIQTest.com, a quiz I found via a text ad on Google. By the time I clicked through the 105th “offer” (aka advertisement) it threw in front of my results–no exaggeration–I gave up without seeing the results of the quiz.

“There’s a clear annoyance factor, leading people to one thing, then at the last minute bait-and-switching them,” Williamson says. “The challenge with this type of advertising is walking that line between people wanting it and people wanting it to go away.”

April 28, 2009

Courtesy of CIO.com. A nice breakdown of how to set up a Google Profile and why you might want to do it.

From the link:

This week, Google launched Google Profiles, which lets you build an online biography listing your interests, educational and professional background, and links to your data on websites like Twitter, Facebook and Flickr.

While some industry analysts view Google Profiles as a competitor to Facebook’s profiles, Google says the main purpose of Google Profiles (right now) is to create a centralized repository for your information on the Web, so that when someone uses Google’s search engine to find you, they actually find you, not another person with the same name.

You don’t have to don a black hat and prowl the murkier waters of the internet to find an app as dirty as a password stealer — just hit download.com.

This is the extreme edge of controlling your security, but it is a useful bit of advice from the linked article, ” … always assume that any login entered on any public computer is compromised and should have its password changed as soon as you’re back at a trusted PC.”

More from the link:

A simple search can turn up a keylogger program available for download on numerous sites, including PCWorld.com, with the idea that the tools are offered for personal use to catch someone messing around on your own PC, or perhaps for concerned parents. That may be a thin veneer, but Christopher Boyd posted on the SpywareGuide Greynets Blogthe he came across a tool available as a free download at the oft-visited download.com that exists solely to steal passwords for IM accounts.

The app presents a fake IM app and captures usernames and passwords that are typed into the window, according to Boyd. It’s a bit of a stretch to think of how such a tool might be meant for personal use to catch snoops on your own computer, especially with a description like “This is perfect if a visitor is coming round who wants to access their IM account.”

Twitter does have a vested interest in fighting any perception of privacy issues. Privacy is going to be an increasing valuable currency in the social networking world as more general users become privacy savvy.

Salesforce.com Inc.’s announcement that it will integrate Twitter into its Service Cloud offering may be a great way to ascertain brand reputation, but experts warn of “Big Brother” fears among Twitter users.

The San Francisco-based company will release, this summer, its customer relationship management (CRM) tool for Twitter, which will allow companies to perform keyword searches in the social networking platform. The idea is that companies can assess sentiments regarding their products or services, pull that data into their CRM, and even perhaps identify the user who made the comments.

But there is the potential the community will raise privacy concerns, said Aphrodite Brinsmead, New York-based customer interaction technologies analyst with research firm Datamonitor. “If people using Twitter know that someone is pulling every single last word they say like a Big Brother scenario, people might be a bit more wary about what they’re posting,” said Brinsmead.

April 8, 2009

Stories like this will do serious harm to the Twitter brand. Online privacy has been a long raging topic, but as more and more non-techies get into the web 2.0 world of social networking the issue will gain even more traction.

Not long after Twitter launched, Stephanie Robesky of Atomico, the venture fund established by the former founders of Skype, registered @Skype while still at the company. But, she says in a blog post yesterday, she forgot about the move, only to be reminded of it after she realised a Twitter employee had handed out her name, email address and contact details to someone at Skype who then contacted her. In an open letter to Twitter yesterday, she blogged:

“This is a violation of my privacy and, quite honestly, probably a big violation of your privacy policies. It is unprofessional of your team to hand out users information regardless of circumstances and this is something that we never would have done at Skype – even if Obama himself couldn’t log in to an account that he says wasn’t even his! I hope that you and your team take privacy more seriously in the future.”

She told me on email: “I registered the Skype Twitter name because I worked at Skype at the time so thought it might have been of use to us at some point. I’m sure I told someone in marketing who ignored me and had no clue at the time what Twitter was. Left Skype last year and forgot that I even had registered the name until yesterday… Glad they don’t have my credit card details.”

April 4, 2009

Privacy is the big bugaboo with social networking. Just ask Facebook after its terms of service debacle. This CIO.com article does a good job of laying out the importance of privacy (or lack there of for users) in terms of social networks being able to significantly monetize and how any social networking site is one security breach away from losing all the cards up its sleeve.

From the link:

As social networks like Facebook and LinkedInstrive to formulate sustainable business models built upon advertising or the selling of premium services, the biggest hurdle they face might rest within their users’ increased awareness of online privacy.

The common assumption that social networking users don’t care about privacy is misguided. The majority of people who use social networks (nearly 60 percent or more) have already modified their privacy settings, according to two separate research studies from the Pew Internet & American Life Project and School of Information and Library Science. Furthermore, privacy experts warn that an unfortunate (but perhaps inevitable) security breach that exposes user data over social networks in the coming years could cause a privacy tipping point in which users push back in a more substantive and widespread way.

“Privacy will become more important when the information is used for more nefarious reasons, like for stealing your identity,” says Larry Ponemon, president of the Ponemon Institute, a privacy research firm.

For their part, executives at major social networking sites and their advertisers argue that a culture of greater openness on the Web will prevail. They also say increased user attention to privacy could actually be advantageous to their business: If people feel comfortable with who can see their Facebook profile, for instance, they are more likely to be honest with the information they contribute to the network, which helps in serving up relevant ads that people might click on.

Dubbed the Online Privacy Bill of Rights, the law may require companies to get approval from consumers before collecting information about their Web-surfing habits, a process known as behavioral targeting that helps Web sites more strategically place ads. The legislation may also demand that companies disclose more information on how they collect and use people’s Web-use data. “There is a reasonable chance that we will see something in the next Congress,” says Michael Hintze, an associate general counsel at Microsoft (MSFT).

Watching what you watch

Legislative interest in ad targeting spiked amid recent hearings over a company called NebuAd, which makes devices that attach to the networks of Internet Service Providers and log surfers’ movements(BusinessWeek.com, 8/14/08). Lawmakers are particularly interested in the implications of NebuAd’s technology, known as deep packet inspection (DPI), one of the most comprehensive ways of keeping tabs on what people do online.

An examination of NebuAd prompted congressional staffers to look at ad targeting more broadly. On Aug. 1, Markey’s committee sent letters to 33 companies, including Google (GOOG), Yahoo! (YHOO), and Microsoft, asking each to outline its tracking practices.

Behavioral targeting has come into its own in recent years as companies crafted ever more powerful methods for combing through data. Internet companies have bolstered their ability to target ads through the acquisition of large ad networks able to amass their own information on consumers’ site-viewing habits. During the past year, Microsoft acquired aQuantive, Time Warner’s (TWX) AOL snapped up Tacoda, Google purchased DoubleClick, and Yahoo bought BlueLithium. The use of ad networks surged from 5% of total ad impressions sold in 2006 to 30% in 2007, according to a study released Aug. 12 by the Interactive Advertising Bureau.

Google’s Move Toward Transparency

Markey’s office says the legislation is still in the planning stages. For instance, it’s unclear what kinds of targeting would fall under requirements that companies let consumers opt-in to letting their data be collected and used. Opt-in clauses could apply to DPI only, or they could include less comprehensive targeting, such as the methods employed by companies such as Google and Yahoo.

The industry is already reacting to new scrutiny from Congress and the Federal Trade Commission in an attempt to avoid federal intervention. During the past year, Yahoo, Microsoft, and AOL began allowing people to opt out of tracking on their sites. They also adopted policies for deleting or making search data anonymous after a certain time period. Updated policies were “long overdue,” says Jules Polonetsky, AOL’s chief privacy officer. “After behaving rather glacially, there has been a huge jump forward just in the past year.”